Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

The February 2017 WordPress Attack Report

Today we are releasing the WordPress attack report for February 2017. You can also find our January 2017 and December 2016 attack reports on the blog.

This report contains a new kind of analysis on the top 25 attacking IPs, called topology analysis. We have used this technique to identify groups of IPs acting in concert with each other. It is a fun visual kind of analysis and is a powerful way to analyze graph data. I think you are going to find it provides a clearer picture of the WordPress threat landscape.

The report also contains the data you have come to expect, including top 25 attacking IPs and their details, charts of brute force and complex attacks, top attacked themes and plugins and top attacking countries.

Most Active IPs

I’m including our usual explanation of how the table below works. If you’re familiar with our attack reports, you can skip down to the table below which contains the February data and read my comments that follow the table.

Brief introduction if you’re new to viewing these reports

In the table below we have listed the most active attack IPs for February 2017. Note that the ‘Attacks’ column is in millions and is the total of all attacks that originated from each IP. Further right in the table (you may have to scroll right) we break out the attacks into ‘brute force’ attacks and ‘complex’ attacks.

Brute force attacks are login guessing attacks. What we refer to as ‘complex’ attacks are attacks that were blocked by a rule in the Wordfence firewall.

We have also included the netblock owner which is the organization, usually a company, that owns the block of IP addresses that the attack IP belongs to. You can Google the name of the owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.

The hostname included is the PTR record (reverse DNS record) that the IP address owner created for their IP, so this is not reliable data but we include it for interest. For example, we have seen PTR records that claim the IP is a Tor exit node, but it is clearly not, based on traffic.

We also include the country and a country flag. To the far right of the report we show the date in February we started logging attacks and the date attacks stopped. For many of these IPs we logged attacks for the entire month. For some you can see there is a clearly defined attack ‘window’ where the IP started and stopped.

The Top 25 Most Active IPs

Note that the table below contains many more columns than are visible. You can scroll to the right to see the rest of the columns.

If we display our list of the top 25 attacking IPs for February visually, a trend becomes clear. (Click the image for a full size version)

The red squares above are our top 25 IPs. We have added additional data showing who owns each IP address and how they are linked. The green splotches are network ASNs or autonomous system numbers. The little houses are organization names associated with each IP.

As you can see the cluster on the top left has 9 attacking IP addresses on the same network. We zoom into that cluster below. The AS number for that network is 29262 which belongs to an organization called Ideal Hosting based in Turkey. Their company website is at: http://www.idealhosting.net.tr/.

Ideal Hosting provides managed services with ports speeds up to 10Gbps. Their website includes full contact info, so we don’t think that they are a bullet proof host but are instead just suffering from a severe security problem across multiple IP addresses. They may be leasing dedicated servers to a smaller hosting provider who is not securing the servers correctly, providing an attack platform.

All of the attacks from this network were brute force attacks. Every IP except one is a new entrant onto our top 25 list. The highest spot they achieved was 25 in January for a single IP. Now they’re up to 9 IPs attacking and have hit the number 7 spot on our top 25 list.

Dutch Provider HostKey.com generated 17.53 million attacks from 6 IPs during February

The second cluster on the right of our image is AS number 57043 which belongs to a Dutch hosting provider called HostKey. They also sell dedicated servers.

As is the case above, HostKey may be leasing servers to a customer that is not securing them and who has inadvertently created an attack platform. HostKey appeared on our top 25 list for the first time with 3 IP addresses at positions 8, 9 and 12 respectively. They have now expanded to 6 IP addresses on the list and have generated a total of 17.53 million attacks across the sites we protect for February.

Connecting Attackers Across Hosts

In today’s report it is clear that specific hosting providers are generating large numbers of attacks. So it is tempting to believe that the hosting providers themselves are malicious actors.

Lets take a look at the data through a different lens. We are going to perform topological analysis on our attack data in February for the top 25 IPs. This will give us a visual indication of how attacking IPs are connected to the sites they attack and to each other.

Topological analysis of the Top 25 attacking IPs in February

To do this we are going to include all attacks originating from our top 25 IP addresses during the month of February. We have a lot of data, so to pare it down, we are only going to consider target websites that received more than 100 attacks from a single IP address during any 24 hour period in February.

What we end up with is: The top 25 IP addresses and which websites they attacked more than 100 times in any day during February.

The attack data is represented graphically showing the attacking IPs as large blobs connected by threads to the websites they attacked, which are small blobs.

Attacking IPs are large blobs and their size is dependent on the number of attacks they launched.

The lines linking nodes indicates an IP attacking a target website.

The websites are all small blobs.

The colorization indicates related communities of attackers.

To explain what is happening here, lets zoom into the topmost cluster.

As you can see in the above cluster, the IP addresses include all 9 of the 185.X.X.X IPs in our top 25 that belong to Ideal Hosting.

It also includes all four IPs that are 5.39.X.X from HostKey.com in the Netherlands.

Lets drag the IPs out of that cluster and separate them from the websites they are attacking to clear things up.

The cluster above shows that the attacking IPs in that cluster all appear to be attacking, for the most part, the same cluster of websites. They are attacking other websites, but there is a clear and large group of websites that these IPs are all attacking together. The IPs above appear to be behaving as a group.

What does normal non-related behavior look like?

In the cluster that appears on the right of our overview image, about halfway down, you can see what is more independent behavior by attacking IP addresses. In this case the mushroom shapes are groups of websites that are only being attacked by the IP address they are connected to and by no other attacker. That shows independent behavior.

You can also see in the above image that there are clear groups of victim websites that are being targeted by two IPs. And then in the center there are groups of websites that are being targeted by multiple IPs.

It is inevitable that many of the websites that Wordfence protects will be attacked by several of our most prolific attackers, so those center clusters are expected. The two-IP clusters are also expected for the same reason – because we have two attackers who overlapped in their attacks.

One possible reason for attackers targeting the same websites is “Google dorking” where an attacker identifies a vulnerable website based on data from Google’s index. If attackers use the same technique to locate target websites, they will end up attacking the same clusters of websites.

When we have a large mushroom shape, it indicates that IP is acting alone and is the only one attacking the sites in that cluster. So in the case of this purple cluster, these IPs appear to be acting independently because each of them is the only one attacking a large cluster of websites.

Completely independent behavior by 220.227.234.129

At the very bottom of our overview image, we have a single IP address belonging to Reliance Communications based in Hyderabad, India. The IP is attacking a large number of websites that no other IP in our top 25 is attacking. This IP is the only IP based in India in our top 25 list.

One possible theory to explain the completely independent behavior of this IP is that it is targeting Indian websites. The attacker may also have a unique way of locating target websites that no other IP in our top 25 used.

By performing topological analysis on the behavior of our top 25 attacking IPs for February, it reveals behaviors and patterns that we would otherwise miss. In this case it has revealed that IPs at our two most prolific hosting providers are actually behaving as a group and are probably controlled by a single attacker.

Brute Force Attacks on WordPress in February 2017

As you can see we experienced a huge spike in brute force attack activity this February starting at approximately February 20th and sustaining until the end of the month. As a reminder, these are simply login guessing attacks. Wordfence blocked an average of 30 million brute force attacks per day across the websites that we protect in February. This is an increase from the 26 million attacks per day average we saw in January.

Complex Attacks on WordPress in February 2017

While brute force attacks were up significantly in February, complex attacks on WordPress sites dropped from 4.6 million per day average in January to only 3.3 million per day. Complex attacks are attacks that are blocked by our firewall and that try to exploit vulnerabilities in plugins, themes, WordPress core and other products installed with WordPress.

Attacks on Themes for February 2017

Once again we are not seeing much change in the rankings in the themes that are targeted for attack in WordPress. The biggest change is the ‘authentic’ theme has climbed 11 places to number 4 for February. This attack is probably trying to exploit the arbitrary file download vulnerability in that theme and is of course blocked by Wordfence.

Attacks on Plugins for February 2017

Our biggest gainer among attacked plugins in February is wp-pagenavi which gained 28 places. Attackers occasionally install fake versions of this plugin once a site is compromised. These may be attempts by attackers to access a fake plugin as part of a check to see if a site has been compromised. These are blocked by Wordfence.

Attacks by Country for February 2017

There are a few changes in the top 25 attacking countries for February 2017. Indonesia has made their debut into the top 25 by climbing 19 places since last month. The Philippines and Malaysia are also big gainers climbing 12 and 10 places respectively.

Conclusion

That concludes the attack report for February 2017. I hope this has given you a clear picture of the threat landscape that confronts WordPress currently. In this report the new topology analysis we included has provided unique insight on how threat actors spread themselves across countries and hosting providers.

We saw a huge spike in brute force attacks in February and an average drop in the number of complex attacks. There was little change in the attacked themes and some change in the plugins we are seeing targeted.

As always you are welcome to share your thoughts and questions in the comments and I will be around to read and reply where needed.

Mrs. T: Not sure. But I think that they try to build a major network of hosts that can do big attacks on major infrastructures. Can't be sure yet, but I believe what Amazon Web Services had this week, might be the tip of the Iceberg.

Mrs. T - WF posted on this yesterday at https://www.wordfence.com/blog/2017/03/jersey-shore/

Are you WordFence folks adding these theme and plugin URLs to the threat defence feed rules/signatures list? If not I'll be maintaining a list in the "Immediately block IPs that access these URLs" field.

Don't do that. You may break your site. Our firewall uses a ruleset that blocks attacks intelligently. It recognizes a request to one of the components of a vulnerable plugin as malicious (e.g. SQLi attack) and allows through safe requests. That way your site will continue to function and you'll only block malicious traffic.

Amazing. Are we to assume that every attack vector and source you share in this post is completely defended against by Wordfence? For example, I was getting probes on wp-pagenavi for months and months, then it appears perhaps Wordfence is blocking. But it concerns me that I could easily figure out that the probes I was getting on pagenavi were the work criminals, while it took months for Wordfence to figure that out and start blocking.

All I had to do to figure out the criminal action was first see a probe hit in my website error logs, then research the IP where the probe came from and see that it was black listed on multiple lists. I put two-and-two together and blocked in Wordfence, but it seems that should have been done by Wordfence long before I figured it out as a total noob...

Wouldn't it be good that you send this info report to the top providers where the attackers originate from.
As you asked the question yourself in the article: "it is tempting to believe that the hosting providers themselves are malicious actors" and "They may be leasing dedicated servers to a smaller hosting provider who is not securing the servers correctly, providing an attack platform."
But even if there is just a small chance of them taking care about it, it can be a big benifit to inform them about your very usefull findings.
Who knows: they might take it serious and try to do something about it.
Call me naive ;-)

If you are interested in this - read the book "Spam Nation". Although it is a bit dated, it gives great insight in how complex and well-organized many criminal spammers are -- confirms that some hosting providers do knowingly serve malicious criminal spammers.

Would you recommend adding these IPs to iptables? I know Wordfence is blocking them and IPs change and so on. But a month in the sin-bin might relieve pressure on the Wordfence program. Most of them seem to be coming from countries where there would be no legitimate users of my sites.

Interesting that when I checked the plugins that had been targeted, I used NOT a single one of them and never have. If it teaches us anything about running our Websites, it's to keep such tools to the absolute minimum (I've been using the same plugins for seven years) and ones that have stood the test of time.

I ask this because not only the data in your post but also the data from the site confirms this. I've had almost 1000 blocks from addresses in the Ukraine just in the last 24 hours. Does your data say anything about the IPs that are being blocked from these countries and the reasons why they are attempting to break into our sites? I run a stupid little blog that doesn't have anything on the inside except some articles. Seems like a lot of effort and money for what amounts to a tiny anchor point to install malware.

I was given the impression that unattended sites, sites without very many updates or blog post are the ones that are preferred for attacking and then once they can get into your web host or shared hosting it can be a leaping off point to fry bigger fish

Another very interesting article, helping contextualising what happens when one is attacked :).
Understanding the intent would be really great too...

Even though this may not be exactly the right place, also all our thanks for the fantastic help WordFence Security Services Team gave us to overcome a heavy (at our level) complex attack on our website... Efficiency, speed (even working from Sunday to Monday), clarity, efficacy and nice and helpful support.

This is truly great when power of analysis and understanding is coupled with practice and service. Thanks to all!!!
Helene

They are monitoring the traffic and fishing information from personal computers and use hacked companies to send bills through their system, without their consent. Today I had a attack from 91.200.12.52 - 4,000 hits. Seems to be just for monitoring purposes.